用户注册和电子邮件激活

时间:2012-04-22 06:08:56

标签: php mysql database

我有以下注册代码 - 

<?php 
 // Connects to your Database 
 mysql_connect("my serner", "user", "password") or die(mysql_error()); 
 mysql_select_db("ec09580") or die(mysql_error()); 
 //This code runs if the form has been submitted
 if (isset($_POST['submit'])) { 
 //This makes sure they did not leave any fields blank
 if(isset($_POST['firstname']) && isset($_POST['lastname']) && isset($_POST['email']) && isset($_POST['username']) && isset($_POST['pass1']) && isset($_POST['pass2']))
           {
            $fname = $_POST['firstname'];
            $lname = $_POST['lastname'];

            $email_id = $_POST['email'];

            $username_r = $_POST['username'];
            $password_1 = $_POST['pass'];
            $password_2 = $_POST['pass2'];



 // checks if the username is in use
    if (!get_magic_quotes_gpc()) {

        $_POST['username'] = addslashes($_POST['username']);
    }
 $usercheck = $_POST['username'];
 $check = mysql_query("SELECT username FROM User WHERE username = '$usercheck'") 
or die(mysql_error());
 $check2 = mysql_num_rows($check);

 //if the name exists it gives an error
 if ($check2 != 0) {
        die('Sorry, the username '.$_POST['username'].' is already in use.');
    }
 // this makes sure both passwords entered match

    if ($_POST['pass'] != $_POST['pass2']) {
        die('Your passwords did not match. ');
    }
    // here we encrypt the password and add slashes if needed

    $_POST['pass'] = md5($_POST['pass']);

    if (!get_magic_quotes_gpc()) {
        $_POST['pass'] = addslashes($_POST['pass']);
        $_POST['username'] = addslashes($_POST['username']);
    }
}
 // now we insert it into the database
    $insert = "INSERT INTO User set FirstName='$fname', LastName='$lname',  Email='$email_id', username='$username_r', password='$password_1'";
    $add_member = mysql_query($insert);
    ?>
 <h1>Registered</h1>
 <p>Thank you, you have registered - you may now login</a>.</p>
 <?php 
 } 
 else 
 {  
 ?>
 <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
 <table border="0">
 <tr><td>Firstname:</td><td>
 <input type="text" name="firstname" maxlength="60">
 </td></tr>
 <tr><td>LastName:</td><td>
 <input type="text" name="lastname" maxlength="60">
 </td></tr>
 <tr><td>Email:</td><td>
 <input type="text" name="email" maxlength="60">
 </td></tr>
 <tr><td>Username:</td><td>
 <input type="text" name="username" maxlength="60">
 </td></tr>
 <tr><td>Password:</td><td>
 <input type="password" name="pass" maxlength="10">
 </td></tr>
 <tr><td>Confirm Password:</td><td>
 <input type="password" name="pass2" maxlength="10">
 </td></tr>
 <tr><th colspan=2><input type="submit" name="submit" 
value="Register"></th></tr> </table>
 </form>
 <?php
 }
 ?>

对于激活,我有以下代码 - 

<?php
if (isset($_GET['x'])) {
    $x = (int) $_GET['x'];
} else {
    $x = 0;
}
if (isset($_GET['y'])) {
    $y = $_GET['y'];
} else {
    $y = 0;
}
if ( ($x> 0) && (strlen($y) == 32)) {
    require_once ('mysql_connect.php');
    $query = "UPDATE User SET active=NULL WHERE (id=$x AND active='" . $y . "') LIMIT 1";  
    $result = mysql_query($query);

    if (mysql_affected_rows() == 1) {
        echo "<h3>Your account is now active. You may now log in.</h3>";
    } else {
        echo '<p><font color="red" size="+1">Your account could not be activated. Please re-check the link or contact the system administrator.</font></p>';
    }
    mysql_close();
} else {
    echo '<b>Activation link not valid!</b>';
}
?>

我继续收到此错误 - -

注意:未定义的变量:第87行的/var/www/users/ec09580/project_test/r_test.php中的fname 注意:未定义的变量:第87行的/var/www/users/ec09580/project_test/r_test.php中的lname 注意:未定义的变量:第87行的/var/www/users/ec09580/project_test/r_test.php中的email_id 注意:未定义的变量:第87行的/var/www/users/ec09580/project_test/r_test.php中的username_r 注意:未定义的变量:第87行/var/www/users/ec09580/project_test/r_test.php中的password_1

我很困惑。谁能帮帮我吗?三江源。

2 个答案:

答案 0 :(得分:3)

您需要移动这些行:

$insert = "INSERT INTO User set FirstName='$fname', LastName='$lname',  Email='$email_id', username='$username_r', password='$password_1'";

$add_member = mysql_query($insert);

现在它们超出条件,检查是否设置了这些值。因此,如果表单没有正确填写,您将收到这些通知,因为这些变量未设置。

更清楚的是,这两行应该移到以下条件中:

if(isset($_POST['firstname']) && isset($_POST['lastname']) && isset($_POST['email']) && isset($_POST['username']) && isset($_POST['pass1']) && isset($_POST['pass2']))
           {
                //Your existing code here

                //And move these two lines in here also:
                $insert = "INSERT INTO User set FirstName='$fname', LastName='$lname',  Email='$email_id', username='$username_r', password='$password_1'";

                $add_member = mysql_query($insert);
           }

您需要在那里移动该代码,因为如果未设置任何表单值,则不会设置变量$ fname,$ lname,$ email_id,因为它们是在该条件中设置的。

当您尝试访问未设置的变量时,PHP将在这种情况下发出通知。

正如Brad指出的那样,您的代码不是很安全,因此您不应该在生产环境中使用它。我刚刚为您的问题提供了修复方法。

如果您只是在学校学习或这样做,这有点好,但是养成防止SQL注入和验证用户输入的习惯绝对是个好主意。

这是一个关于防止SQL注入的Stack Overflow问题,它解释了它比我更好:

How can I prevent SQL injection in PHP?

答案 1 :(得分:1)

  

注意:未定义......

当您使用的实例尚未实例化时,抛出此类型的错误。

您在查询中使用的变量未在所有执行流上实例化。所以,收到这个错误。

这可以通过使用isset()检查变量是否已经设置来消除。

例如:

$fname = isset($fname) ? $fname : '';
相关问题
最新问题